Verizon Data Breach Report 2015A high level summary of the main findings from the cyber security industry’s favourite data driven report. As usual, the report is an easy read packed with analysis and information that is appetising and relevant.
The key concerns centre on the age old favourite threat scenarios of patch management and phishing attacks.
An attempt to elevate mobile applications to significance within the report left the pages with two truths – Android is much worse than any other platform (now that’s hard to have guessed!), and the reality that the majority of all malicious apps have a very short life span (4 out of 5 not lasting beyond a week!).
The Internet of Things (IoT) leaves a small read too (housed in one of the appendixes) because when the proof of concepts and media hype is removed, little real world data breach data is available. The growth in these devices is increasing though – so keep watching this space as we see their use and prevalence within our digital world spiral up.
http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report-2015-insider_en_xg.pdf
We include at the end of this article a summary of the main statistics if you’re after the headlines.
But back to patching and phishing – What’s the news?

Sticking Plasters or Stinking Patches?

The much anticipated annual Verizon Data Breach Report has been released with compelling warnings about the perils of leaving your systems unpatched. The same day also sees the most common vendors release a barrage of fixes for their applications and platforms.
If you run software from Microsoft, Adobe or Oracle then you have critical patches to be applied! In total that’s 22 for Adobe Flash Player, 11 update bundles from Microsoft addressing over 24 bugs and a sleuth of Java updates (15) all of which are exploitable remotely (See Brian Krebs for full details! – http://krebsonsecurity.com/2015/04/critical-updates-for-windows-flash-java/)
Staggeringly, Verizon tells us that 10 separate CVEs account for almost 97% of the exploits observed in 2014. Before you relax and think all your patching problems are wound up in 10 simple patches, the remianing 3% delivers over 7 millions observed exploits against different vulnerabilities – oh yes, patching is STILL a major issue for many organisations!
99.9% of the exploited vulnerabilities were compromised over a year after they were published. A significant number of vulnerabilities being exploited are spread out over the last ten years, showing that for many attackers, older vulnerabilities are still relevant today!

Plenty of Phish are still in the sea

The finest hour for phishing is that first hour when 50% of all phishing emails are triggered. The median time-to-first-click based on a sample of 150,000 monitoring phishing tests showed this to be at 1 minute and 22 seconds. The realisation that our email and internet systems still give us one serious attack surface is highlighted with vivid effect.
Why is it called phishing?The stark reality of this report shows that phishing emails are a major factor in most organisations. Our email systems are by design set-up to allow a broad range of inbound communications to enter our business. As much as we try to control this the ability for malicious users to construct targeted, custom, believable messages based on our public profiles and digital footprints is not going to change.
As generic SPAM does get filtered the trojan horse deliveries will continue to be hidden in the legitimate traffic. Education still has a long way to go, but a more fundamental acceptance that any internet connected or email based network inherently holds a higher risk needs to be much better understood. We have to wake up to the fact that even the best and most informed users will have moments of weakness and if presented with a credible, believable email from a known source – may action the unwanted actions we are trying to stop.

Waking up to the risk

The approach needs to change so that we treat email and internet usage as an area of higher risk and protect the real assets of value within our businesses from these systems. Rather than see our internet connection itself as the place for defences, it needs to be constructed around our assets of high value within an internal secure enclave.
Nightingale floorThe Japanese did this with their Nightingale floor that was designed to shift and move and make sounds when people walked over them. Nails and clamps in the floor ensured the board squeeked giving out a sounds like the Nightingale bird (hence the name).Structure of Uguisu-bari
This gave the occupants of the building time to respond to approaching attackers even after they were inside their castle moats.
The speed at which organisations need to respond will only get shorter as the attackers know how our ability to respond is getting better. This is always an arms race and we need to be adapting and thinking of the bigger picture.

  • What is it that we are protecting and from whom?
  • What risks need to be better controlled?
  • How can we protect those assets from these risks?

Expecting phishing attacks to work means that we will then look for and hunt for the actions within our networks that demonstrate an attacker is in there and sniffing around.
If we can’t stop them getting in, let’s make sure we can detect and respond effectively when they do – and ensure anything of value is not there waiting for them.

Summary of Stats

If you’re simply after a summary of insightful stats to impress the folks in the office, your parents or mates down the pub with then here is the roundup of the best:

  • Threat Intelligence should focus on the well not the firehose – in other words quality is far better than quantity
  • For two years, more than two-thirds of incidents that comprise the Cyber-Espionage pattern have featured phishing
  • Nearly 50% of users open e-mails and click on phishing links within the first hour
  • 23% of recipients now opening phishing messages and 11% clicking on attachments
  • About half of the CVEs exploited in 2014 went from publish to pwn in less than a month
  • A CVE being added to metasploit or given a cool name was as good an indicator as any that a vulnerability would be having a big impact
  • An average of 0.03% of smartphones per week—out of tens of millions of mobile devices on the Verizon network — were infected with “higher-grade” malicious code
  • 4 out of 5 mobile malicious apps didn’t last beyond a week with 96% of malicious mobile malware aimed at Android
  • Malware is the big news of the day – 70-90% of malware samples are unique to an organisation
  • However, 70% of all malware is derived from around 20 key families

 
 
To contact Nettitude’s editor, please email media@nettitude.com.